The development of data privacy regulation in Costa Rica is divided among two laws. The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization. The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, which was enacted to regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.
DEFINITION OF PERSONAL DATA
Personal information contained in public or private registries (e.g. medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons/entities with a "need to know" such information.
DEFINITION OF SENSITIVE PERSONAL DATA
Personal information relating to ideological orientation, creed, sexual preferences. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to Law No. 8968, the Agency for the Protection of Individual's Data, hereinafter the "Agency" is the entity charged with enforcing compliance with the regulation. The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.
Under Law 8968, companies that manage databases containing personal information and that sell such personal information must register with the Agency.
DATA PROTECTION OFFICERS
There is no requirement for a data protection officer.
COLLECTION AND PROCESSING
Any company may store and manage a database containing personal information if the following rules are respected: (i) when accumulating personal information, private companies and/or the government must respect the "sphere of privacy" to which all individuals are entitled; (ii) companies that maintain personal information about others in their databases must ensure that such information is (a) materially truthful; (b) complete; (c) accurate; and, (d) individuals have access to their personal data and must be entitled to dispute any erroneous or misleading information about them.
Companies that manage databases containing personal information and that sell such personal information must comply with Law 8968, including by (i) reporting the company and the database to the Agency, (ii) reporting the technical issues related to the security of the database, (iii) protecting and respecting confidentiality issues, (iv) securing the information they maintain, and (v) establishing a proceeding to review requests by individuals to review and amend any error or mistakes in the database.
Transfer of personal information is authorised if: (i) data subjects give written consent; or (ii) information transferred is public.
Any company or individual using and/or managing this type of information must take all necessary steps to guarantee that the information is kept in a safe environment. If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.
There is no mandatory requirement. Nonetheless, if there is a breach the entity is liable.
All claims can be brought directly to: (i) the entity, (ii) the Agency or (iii) the Constitutional Court.
General rules of data protection will apply. There is little to no regulation of electronic marketing. However, pursuant to the Telecommunications Act, marketing companies may not advertise via phone unless they have express written consent from the data subject.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, do apply.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com